Security Breach in AD W/2000 Server

[Guest]

Hello, my name is Todd and I am an MCP (almost an MCSA-2003) working for a
Computer Consulting business. One of our clients (our biggest one) has AD
running and we have had a heck of a time figuring out this problem:
The only 2 people with administrative permissions on the entire domain is
my boss (owner of company) and myself. However, we keep finding new users
that are being created and are being assigned to the built in administrators
group, giving them admin permissions. There appears to be no way to stop
them. We have changed our Administrator account psw (although I don't think
this would have helped anyway as the accounts that are being created have
admin rights...they don't need our account). We have removed all spyware /
adware and have run virus scans galore (although we periodically still have
to remove them from the system...even in the past couple of weeks). The only
ports open are those we are using...it seems to be a secure environment with
the exception of the ghost administrator running around. We have tried
deleting the accounts from the default admin group and have disabled the
accounts. They either reappear after being deleted in a few days or when we
disable the accounts they return with different names like "1" "2" "skip0"
and "dick".

Has anyone ever heard of a similar problem or hack that we could look for
that would allow someone without admin rights (or by using a system account
with those rights) to create admin accounts?

I know this is a complicated one, but this has been going on for over 2
months and we need help!

Thanks in advance

Todd

 

[Laura E. Hunter \(MVP\)]

Have you enabled auditing for "Account Management" events? This will tell
you when and where the accounts are being created, and what account is being
used to create them.

Have you checked for unusual services or program names listed in the
Services Applet, Task Manager or Run keys in the registry?

You can also set up Restricted Groups to control membership in the
Administrators, Domain Admins & Enterprise Admins group.

Unless you find that these accounts are being created by someone internal to
the network, I'd frankly recommend a complete rebuild of the server. Review
the 10 Immutable Laws of Security: if an outsider can get your computer to
do what he wants it to do without your consent, then it's not your computer
anymore. If someone has installed some type of back door into your
computer, then the only way to be certain that you've removed the
vulnerability is to "nuke and pave."

 

[Guest]

Hello Laura, thanks so much for your quick response.
To answer a few of your questions...

first...We have enabled success and failure events for account management,
but I haven't seen anything unusual in the event viewer. I looked for the
event triggered by our most recent account that was created over the weekend,
but I didn't see it. Is there a good way that I can filter out the event
created by this audit? What would the source be?

second...we removed MANY processes and programs after virus scanning from
our Winnt/system32 folder that were malicious, but we thought we had solved
the problem after removing anything that we found to be suspicious or
malicious. i was actually kinda hoping someone would know of a similar
process that may have been installed somewhere that we haven't found yet.
But yes, everything has been removed that we are aware of.

third...I haven't heard of Restricted Groups and am unfamiliar with how that
would help me. Can I have more info on that b/c that sounds like it would be
a great solution for us.

We can't really just wipe the OS and start over on this b/c it's our SQL
database and we really need to just figure out the problem and fix it. We
haven't totally thrown that option out the window, but we must exhaust every
possible fix before we even consider as you probably understand.

Thanks again for your suggestions and patience. I'll look forward to
hearing from you again!

Todd

 

[Laura E. Hunter \(MVP\)]

To filter events in an Event Log:
http://www.microsoft.com/resources/...proddocs/en-us/nt_filteringevents_how_ev.mspx

Restricted Groups:
http://www.microsoft.com/resources/...dowsServ/2003/standard/proddocs/en-us/611.asp

Both of these are topics that you should've seen when preparing for the
Microsoft Certification exams, and are certainly ones that you should be
aware of when administering a real-world network.

 

[Guest]

I have used event viewer many times, I was just unable to locate the event
triggered by the audit (ghost admin may have erased it actually).
I didn't remember having learned about Restricted Groups, although knowing
the training I went through it was probably explained in 1 sentence then
forgotten.
I have now configured Restricted Groups and I really hope that helps. It
just may do the trick.

Again I appreciate the assistance.

Todd